The team behind the All in One SEO Pack just released a new version of their popular WordPress plugin.
It is a security release patching two privilege escalation vulnerabilities we discovered earlier this week that may affect any web site running it.
If your site has subscribers, authors and non-admin users logging in to wp-admin, you are a risk. If you have open registration, you are at risk, so you have to update the plugin now.
While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.
In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.
How to prevent this from happening
We’re not going to reinvent the wheel on this one: upgrade to the latest version available for this plugin.
Note: This plugin has not been installed by us on any of the Gecko Gully client sites (we prefer Yoast’s WordPress SEO because of it’s WooCommerce extension). However, it could have been installed since handover, or on other readers’ sites. Please update the plugin ASAP if you have it!